National concerns and theoretical accounting

“Only 54 U.S. government online systems were successfully attacked in the first half of this year compared with the 204 overt attacks that took place in the first half of 2001. . . . The overall trend for overt digital attacks on military and government online computers is declining since April and May 2001 . . . . [There] were 2,031 overt attacks on government and military targets recorded worldwide in 2001 by the mi2g SIPS database. For 2002, the mi2g Intelligence Unit is projecting a total of 1,400 such attacks, a decline of a third, year on year.”– News releases from U.K. consultancy mi2g

Let’s assume mi2g is not getting accurate reporting from the various government agencies. If that is true, let’s assume it has always been receiving lower figures than is actually the case. Therefore the downward trend really is a downward trend.

This calls into question the real cost and relevance of what are often called cyber incidents,which makes you wonder about how relevant the U.S.’s Critical Infrastructure Protection Board’s (CIPB) draft report, “The National Strategy to Secure Cyberspace” issued in September, really is.

The report was built on a handful of assumptions. The first was: “Cyber incidents are increasing in number, sophistication, severity and cost.” If you believe mi2g’s analysis, then the CIPB’s report is overblown and the board’s very existence questionable.

I wonder if the hyped cost of cyber incidents is like the equally hyped cost of employee misuse of Internet connections or the cost of any other problem that is measured in tiny increments – largely an exercise in theoretical accounting.

Theoretical accounting is my term for financial analyses that show gains or losses based upon the movements of very small amounts of money or money that is gained or lost by inference.

If 1,000 employees, who cost an average of $70,000 fully burdened, each spend 15 minutes every day walking to and from the coffee machine, the cost to the company is $2,186,000 per year. In many circles people will say, “We must do something about this,” and consequently fire the company that provides the coffee service.

It is always easy to elevate theoretical accounting into a serious, corporate issue because it has the smell of logic. In general, this logic can be expressed as tiny-amounts-of-money multipled by some-number-of-people equals $X. And if $X is a number that is big enough to care about, then $X matters and SOMETHING MUST BE DONE ABOUT IT!

And anywhere computers are involved, theoretical accounting is easy because microcosts (that is, fractional costs that can only be measured because of computers) can be tracked.

The trick for IT folks is to not let theoretical accounting using microcosts become a measure of performance. Once the bean counters get hold of this kind of data, no one is safe because it appears to make sense. And the people who become the police of theoretical accounting are those who can measure it: the IT group.

But back to the cost of cyber incidents: At the lowest level, if your home PC is trashed by a virus I might feel sorry for you (don’t count on it), but in the grand scheme of things the burden is on you.

It is just like when you forget to change the oil in your car and your engine seizes – sure, in the big picture it costs the nation but making a case for legislation to make people change their oil would be ridiculous. And the same applies up the Internet food chain. If a major online vendor gets hacked, tough, that’s life. Or a virtual version thereof.

Like the cost to the nation of not changing your oil, the cost of cyber incidents is another example of theoretical accounting: Something interesting, apparently logical but useless in strategic thinking.

Send your accounting, theoretical or otherwise, to backspin@gibbs.com.